New Android Trojan Steals Money Using PayPal’s App

Recently there have been some malicious trojans found on Android, but the newest one is probably the worst of them all. This new threat automates a PayPal transaction for $1,000 and sends it using the official PayPal app. Even users that have enabled two-factor authentication on their phones are still at risk.

This trojan works by leveraging Android’s Accessibility Services. It disguises itself as an Android optimization tool and has been making its way onto users’ phones through third party app stores (which is one more reason not to use them).

When this app is installed, it also creates an accessibility service called “enable statistics.” Even though this request seems harmless, it will allow the app to monitor the users’ actions and retrieve window content. It also allows the trojan to emulate touches, and will generate a notification that looks like it’s from PayPal, urging the user to log in.

When the user taps this notification, it opens the official PayPal app (if installed). The app then prompts the user to log in. Since this is a legitimate login attempt, two-factor authentication does nothing to secure the account. Once you are logged in, the app takes over, transferring $1,000 from your PayPal account to the attacker. The entire process happens in just seconds. The only thing that stops the process it if the PayPal balance is too low.

Here is a video that shows the process in action: https://www.youtube.com/watch?v=yn04eLoivX8

To keep your device safe from these transactions, be sure to:

1. Only install apps from Google Play. Avoid third party app stores, especially ones that promise paid apps for free.

2. Be extra cautious when sideloading (transferring files you already own to your device from Bluetooth or WiFi).

3. Don’t install pirated apps. This potentially opens you up to all sorts of malicious attacks.